+>[!NOTE]

+> The Visio report currently becomes available within 72 hours. We are working to reduce the latency to 48 hours like other reports.

+Cloud attachments, sometimes also known as modern attachments, are a sharing mechanism that uses embedded links to files that are stored in the cloud. They support centralized storage for shared content with collaborative benefits, such as version control. Cloud attachments are not attached copies of a file or a URL text link to a file. However, support for URL text links are also now gradually rolling out. You might find it helpful to refer to the visual checklists for supported cloud attachments in [Outlook](/office365/troubleshoot/retention/cannot-retain-cloud-attachments#cloud-attachments-in-outlook) and [Teams](/office365/troubleshoot/retention/cannot-retain-cloud-attachments#cloud-attachments-in-teams).

+- If cloud attachments and links in a Teams message are changed after the message is sent by editing the message, those changed cloud attachments and links aren't supported for retention.

+- When a user is added to a Teams conversation and given access to the full history of the conversation, that history can include cloud attachments and URL text links. If these attachments were shared within 48 hours of the user added to the conversation, current copies of the attachments are auto-labeled for retention. Attachments shared before this time period aren't supported for newly added users.

+- Attachments and links shared outside Teams and Outlook aren't supported, and the attachments and links must be content stored in SharePoint or OneDrive.

+- Cloud attachments and links in encrypted emails or encrypted messages aren't supported.

+- Specific to shared documents from URL text links:

+ - Supported in the message body but not in the email subject or Teams channel subject, announcement, or subheadings.

+ - Not supported for files that are uploaded to Yammer and from there, shared as URLs via email or Teams messages (typically have "https://web.yammer.com" at the beginning of the URL)

+ - Not supported for previous responses in the same thread, only the current message

+ - Total limit of 25 attachments in a single message, where this maximum can be any combination of cloud attachments and shared documents from URL text links

+ - Not supported beyond 5,000 characters in the initial email body or Teams message

+- The following items aren't supported as attachments that can be retained:

+- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.

+ 1. Update the existing Full Disk Access configuration profile with the fulldisk.mobileconfig file.

+- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.

+- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.

+Onboarding a macOS device into Compliance solutions is a multiphase process.

+ - Accessibility

+- OPTIONAL: Install the v95+ Edge browser on your macOS devices to have native Endpoint DLP support on Edge.

+ - Accessibility

+description: "Learn how to add a policy tip to a data loss prevention (DLP) policy notify a user that they're working with content that conflicts with a DLP policy."

+DLP policy tips in Outlook Web Access are supported for all the conditions, and actions that are applicable on Exchange workload in a DLP policy except the following:

+Currently, Outlook 2013 and later supports showing policy tips for policies that contain these conditions:

+For E3 licensed users

+- Content contains (works only for Sensitive information types. Sensitivity labels aren't supported)

+For E5 licensed users (preview)

+- Content contains Sensitive information types

+- Content contains Sensitivity labels (works for email labels, Office docs and PDF files)

+- Content is shared

+- Sender is

+- Sender is member of

+- Sender domain is

+- Recipient is

+- Recipient is a member of

+- Recipient domain is

+- Subject contains words

+All the conditions work for emails authored in Outlook client app, where they'll match content and enforce protective actions on content. However, showing policy tips to users isn't supported for any conditions that are used apart from the ones mentioned above.

+## Outlook 2013 and later and Office apps on Desktop support showing policy tips for only some sensitive information types

+For E5 customers, DLP policy tips will be shown in Outlook 2013 and later and Office apps, for policies that use:

+- [Preconfigured sensitive information types](sensitive-information-type-entity-definitions.md) (SITs)

+- Custom SITs

+- [Named entity SITs](named-entities-learn.md)

+- [Exact data match (EDM) SITs](sit-get-started-exact-data-match-based-sits-overview.md)

+- [Credential scanning SITs](sit-defn-all-creds.md)

+- [Trainable classifiers definitions](classifier-tc-definitions.md)

+Custom sensitive information types will also be detected in addition to the above out-of-the-box sensitive information types

+|**Outlook Mobile (iOS, Android)/Outlook Mac**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips aren't supported on Outlook mobile|

+|**SharePoint Win32/ OneDrive for Business Win32 client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips aren't supported on SharePoint or OneDrive desktop client apps|

+|**Word, Excel, PowerPoint Mobile Client**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|DLP policy tips aren't supported in mobile apps for Office.|

+|**Teams Web/ Teams Desktop/ Teams Mobile/ Teams Mac**|:::image type="icon" source="../media/rightmrk.png" border="false":::|all|all Teams predicates in DLP policy|Policy tips will show when a message is flagged as ΓÇ£This message has been flagged. What can I do?ΓÇ¥ When clicking the link, the user can review the sensitive info types detected and override or report an issue if allowed by the admin. No policy tips are shown for files. When the recipient tries to access the document, they might get access denied if not allowed.|

+|**macOS devices**|default tips only|all|subset|Data loss prevention policies are enforceable on macOS devices. Custom policy tips aren't supported.|

+|**3rd party cloud apps**|:::image type="icon" source="../media/crsmrk.png" border="false":::|none|none|Data Loss Prevention policy tips aren't supported on third party cloud apps|

+|**Word, Excel, PowerPoint Win32 Client**|:::image type="icon" source="../medi#policy-tips-in-excel-powerpoint-and-word) for more details|

+- **In preview**: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that were already in preview are now gradually rolling out support for URL text links.

+|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2223229)|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2224193)|The **Azure AD setup guide** provides information to ensure your organization has a strong security foundation. In this guide you'll set up initial features, like Azure Role-based access control (Azure RBAC) for admins, Azure AD Connect for your on-premises directory, and Azure AD Connect Health, so you can monitor your hybrid identity's health during automated syncs.<br>It also includes essential information on enabling self-service password resets, conditional access and integrated third party sign-on including optional advanced identity protection and user provisioning automation.|

+1. Some telephone carriers now [require unverified toll numbers to be verified](/azure/communication-services/concepts/sms/sms-faq#sms-to-us-phone-numbers). This requirement became effective October 1, 2022. Some carriers are following this more strictly than others.

+You'll need to [register your generated phone number in this form](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR0NW3g8C-tRNlyVpwWkCiS1UOEFCVTRHSFMwRk9BVTg3MVdZQlVCNEI4SS4u). This will ensure none of your SMS messages will be blocked when sent to US phone numbers.

+Oracle Health integration is currently only available in the United States.

+> [!IMPORTANT]

+> PowerChart is only available in Microsoft Edge. Internet Explorer is no longer supported.

+1. Some telephone carriers now [require unverified toll numbers to be verified](/azure/communication-services/concepts/sms/sms-faq#sms-to-us-phone-numbers). This requirement became effective October 1, 2022. Some carriers are following this more strictly than others.

+You'll need to [register your generated phone number in this form](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR0NW3g8C-tRNlyVpwWkCiS1UOEFCVTRHSFMwRk9BVTg3MVdZQlVCNEI4SS4u). This will ensure none of your SMS messages will be blocked when sent to US phone numbers.

+<!--Worldwide endpoints version 2023032900-->

+<!--File generated 2023-03-29 17:00:01.6148-->

+ Title: Assign user access

+# Assign user access

+ Title: Use basic permissions to access the portal

+No. Customer data is isolated from other customers and is not shared. However, threat intelligence on the data resulting from Microsoft processing, and which don't contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

+ :::image type="content" source="images/onboarding-macos.png" alt-text="The Settings page." lightbox="images/onboarding-macos.png":::

+The Microsoft Defender for Endpoint blog,

+[EDR capabilities for macOS have now arrived](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect.

+You can also configure whether and what features end users can see.

+Within 10-15 minutes, these domains will be listed in Microsoft 365 Defender under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article).

+Within 10-15 minutes, these domains will be listed in Microsoft 365 Defender under Indicators > URLs/Domains with Action=Warn. Within the enforcement SLA (see details at the end of this article), end users will be getting warn messages when attempting to access these domains:

+4. Select the + button to add a new action. The new action will be an HTTP request to the Defender for Endpoint device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").

+|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2201966)|Morphisec|Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into Microsoft 365 Defender dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information.|

+Behaviors are a type of data in Microsoft 365 Defender based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. [Read more about behaviors](/defender-cloud-apps/behaviors)

+A: Currently, there are 40+ localized payloads available in 29+ languages: English, Spanish, German, Japanese, French, Portuguese, Dutch, Italian, Swedish, Chinese (Simplified), Norwegian Bokmål, Polish, Russian, Finnish, Korean, Turkish, Hungarian, Hebrew, Thai, Arabic, Vietnamese, Slovak, Greek, Indonesian, Romanian, Slovenian, Croatian, Catalan, and Other. We've noticed that any direct or machine translations of existing payloads to other languages will lead to inaccuracies and decreased relevance.

+ > You can also create login pages during the creation of simulations or simulation automations. For more information, see [Create a simulation: Select a payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page) and [Create a simulation automation: Select payloads and login pages](attack-simulation-training-simulation-automations.md#select-payloads-and-login-pages).

+- **Type**: Currently, this value is always **Social engineering**.

+## Select payloads and login pages

+### Select payloads

+- The **Login page** tab is available only for **Credential Harvest** or **Link in Attachment** payloads and is described in the [Select login pages](#select-login-pages) subsection.

+### Select login pages

+The **Randomize** option on the [Select payloads and login pages](#select-payloads-and-login-pages) page works as follows:

+ Title: Microsoft Teams in Attack simulation training

+audience: ITPro

+ms.localizationpriority: medium

+ - m365-security

+ - tier2

+description: Admins can learn about the addition of Microsoft Teams in delivering simulated phishing attacks in in Attack simulation training in Microsoft Defender for Office 365 Plan 2.

+search.appverid: met150

+# Microsoft Teams in Attack simulation training

+**Applies to**

+- [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)

+In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft 365 Defender, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md).

+The addition of Teams in Attack simulation training affects the following features:

+- [Simulations](attack-simulation-training-simulations.md)

+- [Payloads](attack-simulation-training-payloads.md)

+- [Simulation automations](attack-simulation-training-simulation-automations.md)

+[Payload automations](attack-simulation-training-payload-automations.md), [end-user notifications](attack-simulation-training-end-user-notifications.md), [login pages](attack-simulation-training-login-pages.md), and [landing pages](attack-simulation-training-landing-pages.md) are not affected by Teams in Attack simulation training.

+## Changes in simulations for Microsoft Teams

+Teams introduces the following changes to viewing and creating simulations as described in [Simulate a phishing attack with Attack simulation training in Defender for Office 365](attack-simulation-training-simulations.md):

+- On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, the **Platform** column shows the value **Teams** for simulations that use Teams messages.

+- If you select  **Launch a simulation** on the **Simulations** tab to create a simulation, the first page of the new simulation wizard is **Select delivery platform** where you can select **Microsoft Teams**. Selecting **Microsoft Teams** introduces the following changes to the rest of the new simulation wizard:

+ - On the **[Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques are not available.

+ - On the **[Name simulation](attack-simulation-training-simulations.md#name-and-describe-the-simulation)** page, a **Select sender's Microsoft Teams account** section and **Select user account** link are present. Click **Select user account** to find and select the account to use as the source for the Teams message.

+ - On the **[Select payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page)**, no payloads are listed by default because there are no built-in payloads for Teams. You need to create a payload for the combination of Teams and the social engineering technique that you selected.

+ The differences in creating payloads for Teams are described in the [Changes in payloads for Microsoft Teams](#changes-in-payloads-for-microsoft-teams) section in this article.

+ - On the **[Target users](attack-simulation-training-simulations.md#target-users)** page, the following settings are different for Teams:

+ - As noted on the page, guest users in Teams are excluded from simulations.

+ - If you select **Include only specific users and groups**, **City** is not an available filter in the **Filter users by category** section.

+Other settings related to simulations are the same for Teams messages as described in the existing content for email messages.

+## Changes in payloads for Microsoft Teams

+Whether you create a payload on the **Payloads** page of the **Content library** tab or on the **[Select payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page)** page in the new simulation wizard, Teams introduces the following changes to viewing and creating payloads as described in [Payloads in Attack simulation training in Defender for Office 365](attack-simulation-training-payloads.md):

+- On the **Global payloads** and **Tenant payloads** tabs on **Payloads** page of the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>, the **Platform** column shows the value **Teams** for payloads that use Teams messages.

+ If you click  **Filter** to filter the list of existing payloads, a **Platform** section is available where you can select **Email** and **Teams**.

+ As previously described, there are no built-in payloads for Teams, so if you filter by **Status** \> **Teams** on the **Global payloads** tab, the list will be empty.

+- If you click  **Create a payload** on the **Tenant payload** tab to create a payload, the first page of the new payload wizard is **Select type** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new payload wizard:

+ - On the **[Select technique](attack-simulation-training-payloads.md#create-payloads)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques are not available for Teams.

+

+ - The **Configure payload** page has the following changes for Teams:

+ - **Sender details** section: The only available setting for Teams is **Chat topic** where you enter a tile for the Teams message.

+ - The last big section is not named **Email message**, but it functions the same way for Teams messages as it does for email messages:

+ - There's an **Import Teams message** button to import an existing plain text message file to use as a starting point.

+ - The **Dynamic tag** and **Phishing link** controls are available on the **Text** tab, and **Code** tab is available as with email messages.

+Other settings related to payloads are the same for Teams messages as described in the existing content for email messages.

+## Changes in simulation automations for Microsoft Teams

+Teams introduces the following changes to viewing and creating simulation automations as described in [Simulation automations for Attack simulation training](attack-simulation-training-simulation-automations.md):

+- On the **Simulation automations** page of the **Automations** tab at <https://security.microsoft.com/attacksimulator?viewid=automations>, the following columns are also available:

+ - **Type**: Currently, this value is always **Social engineering**.

+ - **Platform**: Shows the value **Teams** for payload automations that use Teams messages or **Email** for payload automations that use email messages.

+- If you click  **Create automation** on the **Simulation automations** page to create a simulation automation, the first page of the new simulation automation wizard is **Select delivery platform** where you can select **Teams**. Selecting **Teams** introduces the following changes to the rest of the new simulation automation wizard:

+ - On the [Automation name](attack-simulation-training-simulation-automations.md#name-and-describe-the-simulation-automation) page, the following settings are available for Teams in the **Select method for choosing sender accounts** section:

+ - **Manually select**: This value is selected by default. In the **Select sender's Microsoft Teams account** section, click the **Select user account** to find and select the account to use as the source for the Teams message.

+ - **Randomize**: Randomly select from the available accounts to use as the source for the Teams message.

+ - On the **[Select social engineering techniques](attack-simulation-training-simulation-automations.md#select-one-or-more-social-engineering-techniques)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques are not available for Teams.

+ - On the **[Select payloads and login page](attack-simulation-training-simulation-automations.md#select-payloads-and-login-pages)** page, no payloads are listed by default because there are no built-in payloads for Teams. You might need to create a payload for the combination of Teams and the social engineering techniques that you selected.

+ The differences in creating payloads for Teams are described in the [Changes in payloads for Microsoft Teams](#changes-in-payloads-for-microsoft-teams) section in this article.

+ - On the **[Target users](attack-simulation-training-simulation-automations.md#target-users)** page, the following settings are different for Teams:

+ - As noted on the page, simulation automations that use Teams can target a maximum of 1000 users.

+ - if you select **Include only specific users and groups**, **City** is not an available filter in the **Filter users by category** section.

+Other settings related to simulation automations are the same for Teams messages as described in the existing content for email messages.

+Campaigns in the Microsoft 365 Defender portal identifies and categorizes coordinated email attacks, including phishing and malware. Microsoft's management of email attacks into discrete campaigns will help you to:

+- **Attack Simulation and Training**: In order to ensure your users are resilient to phishing attacks in Microsoft Teams, admins can configure phishing simulations in Teams similar to how they do so in email. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).

+- [New features are continually being added to Microsoft Defender for Office 365](defender-for-office-365-whats-new.md). As new features are added, you might need to make adjustments to your existing Safe Links policies.

+- Use the URL <http://spamlink.contoso.com> to test Safe Links protection. This URL is similar to the GTUBE text string for testing anti-spam solutions. This URL is not harmful, but it will trigger Safe Links protection.

+- Admins can submit messages as old as 30 days if they're still available in the mailbox and haven't been purged by the user or an admin.

+For URLs reported as false positives, we'll allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

+ For URLs reported as false positives, we'll allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

+ - *Add and remove entries from the Tenant Allow/Block List*: Membership in one of the following role groups:

+ - *Read-only access to the Tenant Allow/Block List*: Membership in one of the following role groups:

+ - [Azure AD RBAC](../../admin/add-users/about-admin-roles.md): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions *and* permissions for other features in Microsoft 365.

+> Microsoft manages the allow entry creation process for URLs from the Submissions page. We'll create allow entries for URLs that were determined to be malicious by our filters during mail flow or at time of click.

+> We allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL `www.contoso.com/abc`. If your organization later receives a message that contains the URL (for example but not limited to: `www.contoso.com/abc`, `www.contoso.com/abc?id=1`, `www.contoso.com/abc/def/gty/uyt?id=5`, or `*.contoso.com/abc`), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

+>

+> When the URL is encountered again, all filters associated with the URL are overridden.

+> [!NOTE]

+> This scenario applies only to blocks.

+- **Block match**:

+- **Block not matched**:

+> [!NOTE]

+> This scenario applies only to blocks.

+- **Block match**:

+- **Block not matched**: